Grails Spring Security插件 - 修改登录用户的权限
[英]Grails Spring Security plugin - modify logged in user's authorities
问题描述
I have a simple Grails app with Spring Security Core plugin installed and working fine. 
我有一个简单的Grails应用程序,安装了Spring Security Core插件,工作正常。 However, I haven't found any solution to the problem with updating a logged in user's authorities in the security context. 但是,我没有找到任何解决方案来更新安全上下文中登录用户的权限。 I am not talking about updating the current user's details (ie springSecurityService.reauthenticate). 我不是在谈论更新当前用户的详细信息(即springSecurityService.reauthenticate)。
My problem is: I have a simple user management app with ROLE_ADMIN and ROLE_USER authorities used. 我的问题是:我有一个简单的用户管理应用程序,使用ROLE_ADMIN和ROLE_USER权限。 Now, I have 2 administrators logged in at the same time (with ROLE_ADMIN authority) from different computers, and one admin decides to change the other admin's authority from ROLE_ADMIN to ROLE_USER. 现在,我有2名管理员同时从不同的计算机登录(具有ROLE_ADMIN权限),并且一名管理员决定将其他管理员的权限从ROLE_ADMIN更改为ROLE_USER。
How can I update the user and role so that the modified user (with new ROLE_USER role) cannot perform any ROLE_ADMIN level actions and is immediately redirected to ROLE_USER level pages? 如何更新用户和角色,以便修改后的用户(具有新的ROLE_USER角色)无法执行任何ROLE_ADMIN级别操作,并立即重定向到ROLE_USER级别页面? Is there a way to update the security context so I don't have to do additional checking in all the controller actions whether the logged in user's authorities have been changed? 有没有办法更新安全上下文,所以我不必在所有控制器操作中进行额外检查,无论登录用户的权限是否已更改? Can I use the cahceUsers property for that somehow? 我能以某种方式使用cahceUsers属性吗? I haven't modified the cacheUsers and in my understanding, it's false by default. 我没有修改cacheUsers,根据我的理解,默认情况下它是假的。 Please, correct me if I'm wrong. 如果我错了,请纠正我。
EDIT: The sequence that's causing the problem is 编辑:导致问题的顺序是
Administrator "A" modifies administrator "B" and sets a new role (ROLE_USER) for administrator "B"
管理员“A”修改管理员“B”并为管理员“B”设置新角色(ROLE_USER) the code calls
PersonRole.removeAll(personInstanceB) and PersonRole.create(personInstanceB, roleAdmin)and everything is updated normally代码调用PersonRole.removeAll(personInstanceB) and PersonRole.create(personInstanceB, roleAdmin),一切都正常更新at the same time Administrator "B" is already logged in when their authorities are modified.
同时管理员“B”已在其权限被修改时登录。 Administrator "B" can continue working on ROLE_ADMIN restricted pages until he/she logs out and does a new login. 管理员“B”可以继续处理ROLE_ADMIN受限页面,直到他/她注销并进行新登录。 Only then the authorities are updated and Administrator "B" has the new role (ROLE_USER) 只有这样才能更新权限并且管理员“B”具有新角色(ROLE_USER) I want Administrator "B" to be redirected to the ROLE_USER pages when the user is updated with the new role and not only after logout/login
我希望管理员“B”在用新角色更新用户时重定向到ROLE_USER页面,而不仅仅是在注销/登录后 calling
springSecurityService.reauthenticate personInstanceB.username)causes Administrator "A" to be "logged in" as Administrator "B" so this does not work.调用springSecurityService.reauthenticate personInstanceB.username)导致管理员“A”以管理员“B”“登录”,因此这不起作用。
Any ideas would be very welcome. 任何想法都会非常受欢迎。 I may have missed something simple here but I have no idea what the solution would be. 我可能在这里错过了一些简单的东西,但我不知道解决方案是什么。
Cheers, mizzzto 干杯,mizzzto
2 个解决方案
解决方案1
11 已采纳 2011-06-20 12:07:35
This is untested but give it a try 这是未经测试但尝试一下
In your controller/service class, 在您的控制器/服务类中,
...
User user = User.get(springSecurityService.principal.id) //get the user
Role adminRole = //get or create the admin Role
UserRole.remove user, role // remove admin Role
Role userRole = // get or create the user Role
UserRole.create user, role //add the user Role
...
if (!user.hasErrors() && user.save(flush: true)) {
springSecurityService.reauthenticate user.username // refresh the users security deatils
}
....
EDIT 编辑
That is a lot clearer now. 那现在更清楚了。
What I would do off the top of my head is use the switch user function. 我要做的就是使用切换用户功能。 see Switch User 请参阅切换用户
- First you set the
useSwitchUserFilterattribute totrue首先,将useSwitchUserFilter属性设置为true - It is advised you make a new role(eg
ROLE_SWITCH_USER) for this priviledge.建议您为此权限创建一个新角色(例如ROLE_SWITCH_USER)。 in your admin page somewhere,
在你的管理页面的某个地方, <sec:ifAllGranted roles='ROLE_SWITCH_USER'> <form action='/j_spring_security_switch_user' method='POST'> Switch to user: <input type='text' name='j_username'/> <br/> <input type='submit' value='Switch'/> </form> </sec:ifAllGranted>- log in as the user you wish to edit using their username 使用用户名以您要编辑的用户身份登录
- change their role settings by making a call to the
adminToUser()method below(for example)通过调用下面的adminToUser()方法更改其角色设置(例如) - switch back to the original user 切换回原始用户
- Done. 完成。
-- You can use the code form the first answer to create a method in your controller or service that take a userInstance and changes thier role from admin to user. - 您可以使用第一个答案的代码在控制器或服务中创建一个方法,该方法接受userInstance并将其角色从admin更改为user。
def adminToUser(user, adminRole, userRole){
UserRole.remove user, adminRole
UserRole.create user, userRole
if (!user.hasErrors() && user.save(flush: true)) {
springSecurityService.reauthenticate user.username
}
}
解决方案2
6 2012-11-08 18:43:07
I have solved this problem by reauthenticating twice: 我通过重新验证两次解决了这个问题:
Save the name of the administrator who is demoting the other user: 保存降级其他用户的管理员名称:
def originalUserName = springSecurityService.principal.name
springSecurityService.reauthenticate user.username
springSecurityService.reauthenticate originalUserName
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.